找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2360|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:( C9 w. g8 P" p- s  t3 }0 {

3 ~$ z3 M/ f; F( ]) b. [FCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 ?; ~1 R& h) c( o  J7 {1 `

5 ]6 q9 C+ w( p  b) T4 G- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
7 V  I4 U9 i. M- Credit goes to: Mostafa Azizi, Soroush Dalili, \1 p) }- n8 p
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
+ h! V/ s0 O& e: F0 {9 ^- Description:5 o7 C4 s' m; e1 @1 L4 P
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
; A2 x  H' A/ gdealing with the duplicate files. As a result, it is possible to bypass0 G2 K8 j# H/ @7 |' }
the protection and upload a file with any extension.
( Q5 D, P5 b& [1 n& Z  [- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
) r; E* u# h; s+ n" d$ X: S- Solution: Please check the provided reference or the vendor website.3 U" F( r$ N% `* n0 ?! |+ a- m0 p
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
" _1 g* f7 x8 D/ r"9 q. E% o. R0 v$ ^* P( L8 i
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:5 [4 S2 h% k* c1 o' C
In “config.asp”, wherever you have:
- A2 l; z1 l/ @$ J" {. H      ConfigAllowedExtensions.Add    “File”,”Extensions Here”9 {$ \- D4 }' T6 F3 G) l
Change it to:6 i: l$ F, d" r$ i0 A" d
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”7 r1 f" P; R. [# M
+ x# e; V, S- q4 @
) v9 L0 T2 d% q, u

- K( O" f% k; Z. @3 L
" j  v3 j% n  C% u# b! ~
6 [$ ~+ S; O' jphp测试无效: s' c" r/ b( U: G
asp/aspx测试成功:2 V/ ]+ m: E4 c. R
来到/FCKeditor/editor/filemanager/connectors/test.html* r0 f; a6 x/ I. w! v5 o7 q
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt5 p2 F  D/ |9 v3 D+ u! ?
' Q2 m7 b0 k; i$ f* n$ X( r
burpsuite上传包并修改,repeater* h) b, q" T- s3 v: Q2 P% [5 {
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp2 C" w0 e( U: W. T: h
/ ?5 {. E& X- t+ F$ Z
如图,webshell为:http://localhost/userfiles/file/asd(1).asp/ _# ]4 I0 x. @7 ?

  A3 z; i7 v/ j& j  ]
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表